US court orders keylogger CyberSpy to halt software sales

The Federal Trade Commission (FTC) won an injunction today against software …

The government's antimalware efforts don't receive as much attention as those of private businesses (perhaps because said efforts are perceived as having no observable impact), but the Federal Trade Commission (FTC), Department of Justice (DoJ), and Federal Bureau of Investigation (FBI) all work towards securing cyberspace. Yesterday, the FTC secured a temporary injunction against the keylogger software vendor CyberSpy, ordering that company to cease and desist from selling its product online.

In its original complaint, filed November 5, 2008, the FTC alleged (PDF) that CyberSpy (under the ownership of one Tracer R. Spence) has committed unfair/deceptive acts, either in or affecting commerce. Since August 2005, CyberSpy's main product has been a charming keylogger named RemoteSpy. As keyloggers go, RemoteSpy is (or was) fairly run-of-the-mill. Upon purchase, the would-be spy chose a login/password that would be used to monitor the collected data thereafter. The company's hook appears to have been the level of service that accompanied the program. The FTC's complaint states that numerous tutorials and "how-to's" were included with RemoteSpy, including information on disguising the payload in order to maximize the chance of infection.

Once it infects a machine, RemoteSpy devotes a fair amount of energy to staying invisible. According to CyberSpy, the program will not display entries under "Add/Remove Programs" or the Start Menu, and is invisible to both the list of running programs and the list of running processes as displayed by the Task Manager. RemoteSpy hides its own install/data aggregation directories (no word on whether or not these are made visible by ordering the OS to reveal normally invisible folders and files), and will copy itself from location to location to prevent the end-user from permanently deleting it. When it's not busy ducking under bridges or diving into storm drains, RemoteSpy aggregates chat logs, login information and associated passwords, email, IM conversations, and pretty much anything else it can find. Screenshots of the unwitting user's desktop are reportedly snapped every five minutes or so, though that's probably variable.

Understanding the FTC's objection to this kind of software doesn't require a law degree. The complaint states: "Defendants have collected personal information from computers without the knowledge and consent of the owner... have stored the information on Defendants' servers, and have disclosed the information to unauthorized third parties. Defendants' actions cause or are likely to cause substantial injury to consumers that cannot be reasonably avoided and is not outweighed by countervailing benefits to consumers or competition."

The presiding US District Court judge agreed, at least enough to issue a temporary restraining order. As much as the FTC deserves an "A" for effort, however, the timeline of the case is an excellent example of how poorly equipped the government is when it comes to addressing this type of problem. The brief states that RemoteSpy has been available since "at least August 2005." The company in question—CyberSpy—apparently did business in Florida for long enough to be clearly identified as residing in that state, while the company CEO/manager, Tracer R. Spence (a close anagram of Spencer Tracy, though I'm not saying it's an alias) is similarly known.

The FTC's own press release states that it authorizes the filing of a complaint when "it has reason to believe that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest." Apparently, the public interest can take a while to sort out.

Botnets, malware, and other various forms of attack evolve and spread at a rate that's literally multiple orders of magnitude faster than the FTC's most expedient response. Long term, I suspect we'll ultimately see a joint team, led by both industry white hats and government investigators, but the framework for operating this sort of organization (US-CERT is the most relevant current example) has yet to fully materialize. Until such time as it does, government organizations will have only a very limited ability to address current malware threats.

UPDATE: The fine folks at the Electronic Privacy Information Center (EPIC) have informed me that they filed the initial investigation request with the FTC.